1. Field of the Invention
The present invention is related to the field of bulk power system management. More specifically the current invention is related to systems and methods of complying with network security requirements according to NERC Critical Infrastructure Protection (CIP) regulations to protect bulk power systems.
2. Description of Related Art
A computer network is a network of data processing nodes that are interconnected for the purposes of data communication. A computer network can comprise two or more computers and a set of network hardware interconnected by communications channels that allow sharing of resources and information. Organizations rely on computer networks so that two or more separate computer users can communicate using emails, instant messages, video conferencing, etc., share information such as files and data, or access distributed computing resources on other computers of the network. While organizations typically have their own internal network (local area network (LAN) such as an intranet), the necessity of communicating information outside the organization carries an inherent vulnerability in that it is possible to access or exploit these networks by malicious entities outside the organization without appropriate safeguards. Vulnerabilities in computer network security include malicious code such as viruses, worms, and Trojan horses as well as open communication routes, all of which may allow individuals, groups of individuals, or programs to gain unauthorized access to the network. This access can result in damaged files, infection of multiple computers throughout the network, stealing of confidential information, or denial-of-service attacks.
Communications gateways on computing devices within a computer network are referred to as ports. A port is a logical data connection that can be used to exchange data between computers. Each port is specific to a particular application, process, or service running on the computing device, and allows a computing device on the network to access that particular application, process, or service, thus providing a door or gateway that serves as a physical connection for the application etc. Like a door, a port may be open or closed. An open port on a computer is a port associated with an application, process, or service that is available for access by another computer on the network. A port that is closed is not associated with any application etc. that is available for access. Communications protocols employ both the IP address of the computer that is to be accessed, as well as a specific port number, a 16-bit number that is specific for each application etc. to route data packets first to the target computer, then the target application. Port numbers range from 0 to 65,536, and are assigned by the International Assigned Numbers Authority (IANA). Sockets are endpoints in a bidirectional communication that use IP address and port number to distribute data packets in the communication to the correct application. Services are system processes that support the running of a particular program.
Exploitation of open ports is a standard method that computer hackers use to gain unauthorized access to particular applications. Hackers can identify open ports on a computer by systemically scanning the target computer to determine which are open and which are closed. This involves sending a connection request to a range of port addresses on a target computer, with the purposed of identifying active ports that are associated with an application with one or more vulnerabilities that may be exploited. Thus, from a network security standpoint, it is desirable to limit the number of active ports on a computer to those that are only necessary for critical applications, processes, and services. Computer network administrators employ software called ports and services scanners that probe computers on the network for open ports. However, existing software has limitations in that it often scans only the most common port numbers, or those ports that have been identified as associated with the most vulnerable services. Further, inaccuracies in port scanning software exist that result in some ports being falsely identified as potentially running vulnerable services, and these false positives severely limit the ability to determine the true vulnerability of the network.
The United States electrical grid as well as the power grids of other countries have been increasingly recognized as vulnerable to cyber attack. A case-in-point are Supervisory Control and Data Acquisition (SCADA) systems that are used to control equipment in electric power companies as well as manufacturing facilities, water treatment plants, and nuclear power facilities. The Stuxnet computer worm, designed by U.S. and Israeli intelligence agencies, was created to target Siemens SCADA systems controlling Iranian nuclear enrichment facilities, and similar SCADA systems used in large public power companies are integrated with networks with direct links to the internet. U.S. intelligence agencies have detected numerous intrusions in electrical grid infrastructure by hackers based in China, Russia, and other countries. In 2010, the Department of Homeland Security created special teams as part of an Industrial Control Systems Computer Emergency Response Team (ICS CERT) to assess industrial control systems at U.S. power plants for network vulnerability.
Further, the North American Electric Reliability Corporation (NERC), a nonprofit governmental agency that regulates power companies in the United States, has established numerous regulations including Critical Infrastructure Protection (CIP) requirements that govern proper network security protocols and procedures at power plants. Included in these regulations is the requirement that only ports and services necessary for operations are enabled, and unnecessary ports and services are disabled. NERC CIP standards define requirements for ports and services used within networks in bulk power systems. For example, Requirement 2.2 (R 2.2) in Standard CIP-005-3 states the following:
At all access points to the Electronic Security Perimeter(s), the Responsible Entity shall enable only ports and services required for operations and for monitoring Cyber Assets within the Electronic Security Perimeter, and shall document, individually or by specified grouping, the configuration of those ports and services.
Similarly, Requirement 4.2 of the same document requires an annual review to verify that only ports and services required for operations at electronic access points to the Electronic Security Perimeter are enabled.
Further, for example, NERC standard CIP-007-3 further defines ports and services requirements as defined below:
R2. Ports and Services—The Responsible Entity shall establish, document and implement a process to ensure that only those ports and services required for normal and emergency operations are enabled.
R2.1. The Responsible Entity shall enable only those ports and services required for normal and emergency operations.
R2.2. The Responsible Entity shall disable other ports and services, including those used for testing purposes, prior to production use of all Cyber Assets inside the Electronic Security Perimeter(s).
R2.3. In the case where unused ports and services cannot be disabled due to technical limitations, the Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure.
Similarly, Requirement 8 of NERC standard CIP-007-3 requires an annual review to verify that only ports and services required for Cyber Assets within the Electronic Security Perimeter are enabled.
Additional information on NERC-CIP requirements for Ports and Services can be found in the Appendix, and in the following documents, each of which are incorporated by reference herein in their entireties: “Reliability Standards for the Bulk Electric Systems of North America,” published by NERC, and “NERC CIP Compliance,” published by Midwest Reliability Organization, a regional electric reliability council under NERC authority. Further, the Bureau of Reclamation has developed a manual for compliance with NERC CIP 005-R2.2 and CIP 007-R2, which may be helpful for further understanding these requirements. This is also included in the Appendix and incorporated by reference herein in its entirety.
Thus, existing NERC CIP requirements require power plant operators to document the configuration of those ports and services required for operations, evidence to show that only ports and services required for operations are enabled, as well as measures to mitigate risk when unused ports and services cannot be disabled. As described above, the CIP standards exist to ensure critical systems are not at risk, or are at limited risk, of potential viruses and systems hacks. However, existing “ports and services” scanners are sub-optimal for compliance with NERC CIP requirements in part due to the aforementioned limitations and in part due to the fact that these scanners are not integrated with documentation or list management functions. The current methods of compliance require separate applications for each of these functions, making the work tedious and inefficient in documenting scanned results and making necessary changes for compliance.
In addition, another source of difficulty is that ports and services must be identified and minimal ports and services determined according to the NERC CIP definitions, which often differ from information technology (IT) industry standard definitions. This lack of uniformity requires constant monitoring to ensure a system or systems comply with the differing definitions and continually meet the definitions set by NERC CIP. Therefore, there exists a need to provide a scan to both meet the specified security requirements and provide an efficient means of documenting performed scans and reporting the results in relation to the NERC standards.